Abstract: Briefly introduces the principle of SQL injection attack. On the basis of the "Filtering User Enter Information", the "Filtering User Enter Information" is established, and a detection / defense / filing universal model for SQL injection attacks is established. This model sets two levels of check at the client and server side. For a general user's misoperation and low grade malicious attack, the client check will automatically make a response; considering that the client checks may be bypassing an attacker that is experienced, the secondary check is set in the server side. Automatic filing technology for high-level malicious attacks is also proposed in the text, and the corresponding code is given. Key words: system security; SQL Server; SQL injection attack; IDS detection; security issues on the Internet are getting more and more serious, and intrusion detection (IDS) is especially necessary. MS SQL Server as one of the main products of the database market, research on his SQL attack processing program, establish a general SQL injection attack defense, testing, file model, and has positive significance for strengthening security construction. 1 SQL Injection Attack Introduction SQL Injection Attack Source from English "SQL Injection Attack". There is currently no definition of standards, commonly descriptions of this attack form, feature. The Microsoft Technology Center describes 2 aspects: (1) script injection attack. (2) Malicious user inputs used to affect the SQL scripts executed. Stephen Kost gives another feature of this type of attack, "obtains unauthorized access and direct retrieval from a database." SQL injection attacks are in terms of its essence, the tool he uses is the syntax of SQL. It is directed to the vulnerability in the application developer programming process. "When an attacker can operate data, the SQL injection attack occurs when inserting some SQL statements into the application." Since SQL injection attacks use SQL syntax, this attack has a wide range of attacks. In theory, it is valid for all SQL language-based database software, including MS SQL Server, Oracle, DB2, Sybase, MySQL, etc. Of course, various software has its own characteristics, and the final attack code may not be the same. The principle of SQL injection attack is relatively simple, easy to master and implement, and the entire Internet has a number of amazing database systems (only in China, as of March 2003, there are more than 82,900), in the past few years The number of SQL attacks has been growing. 2SQL Injection Attack Detection and Tracking 2.1SQL Attack Detection / Defense / Tracking Model For the defense of SQL attack, the former work has made a lot of work, and the proposed solution includes: (1) Package client submit information. (2) Replace or delete sensitive characters / strings. (3) Shield error information and. (4) Check the legality of the submitted data before the server is officially processed. The approach of the program (1) requires RDBMS support. Only Oracle is currently using this technology; the program (2) is an incomplete solution, an example to illustrate his weaknesses, when the client input is "... ccmdmcmdd ..." After replacing the sensitive string "CMD", the rest of the characters is just "... cmd ..."; the essence of the program (3) is to remedy after the server is processed, and the attack has occurred, just preventing attackers from knowing attacks. The result of the program (4) is considered to be the most fundamental solution by most researchers, before confirming the client's input legality, the server refuses to perform critical processing operations. The difference between the scheme (4) and (2) is that the scheme (4) is detected once to detect the sensitive character / string, the operation of the database is interposed, and the protocol (2) is a remedy for the problematic client input, not The abort proceeds follow-up.
Although the program (2) is effective, there is a suspicion of "betting the standard", the new attack method is constantly discovering, as long as the server program is allowed to use these submission information, there is always an attack. Therefore, the detection / defense / filing model of the SQL injection attack is based on the legitimacy check of submission information, two-level check at the client and the server, as long as any level is not passed, the information submitted will not enter Query statement does not constitute an attack. The function of the client and the server will be basically the same. The main role of client check is to reduce network traffic, reduce server load, and distinguish between general mistakes, low level attacks and high-level attack behavior. Technically, the client's inspection is that it is possible to wrap it by experienced attackers. In this case, the submitted data is sent directly to the server, and it is necessary to set the secondary check at the server side. Since the data that is properly submitted to the server has been checked over the client, the server checking the abnormality can basically be considered caused by malicious attack behavior, aborting the processing of submission information, and attacks the filing, and gives the client. / Warning Tips. The corresponding model is simply shown in Figure 1. 2.2 Checking the inspection of submitted information mainly includes data type check, data length check, and sensitive characters filtering. The first two available functions directly, sensitive character filtration requires application development to do corresponding development. Summary,
The statement must be used, so the filter function can be set for these sensitive characters, and they filter them before the parameters of these uploads are combined to the query statement. The following two functions are the main code of the filter module:
2.3 tracking
People who submit illegal characters may be SQL injection attackers. However, considering that the user's misoperation in normal use also has the possibility of submitting the illegal character / string, so the client's first-level check corresponds to the user's misoperation, or the general attack, the processing measures are only suspended, given Friendly error prompt. In the information submitted to the server side after the primary examination, the illegal character / string is still included, and the unique may be that an attacker around the client's first-level check. For this dangerous signal, the server side extracts the IP address of the attack source from the received submission information packet, and stores the database backup while suspending the operation of the database.
3 conclusion
Since SQL injection attacks are not tight programming during application development, this attack is "legal" for most firewalls. The problem of problem is only dependent on improving programming. There is less tool for SQL injection attacks, Wpoison has a certain help for the development of ASP and PHP. The DDL model in this article can be used for a relational database other than SQL Server as a holistic solution. The model has been applied to a web database development in a certain unit, has achieved good results. The code given in this article is passed on the Windows 2000 Server SQL Server 2000 environment.
